COVID 19: a SMiShing Paradise
Observing messaging behaviors over the years, we see recurring techniques criminals employ to reach a specific end. It is no surprise that when we step back and observe: all paths lead to cash. The means to this end have individual characteristics that we’ve had to battle for nearly two decades.
Now that we are months into the Covid-19 pandemic, let’s take a look into how criminals take advantage of this crisis from the perspective of mobile message fraud.
SMiShing is a form of phishing, but the bait is distributed over SMS/MMS mobile communications. In a criminal smishing campaign, mobile messages are sent out to a list of contacts, likely acquired illegally, purporting to be a legitimate person or company. Here are some examples of campaigns where smishing/phishing techniques are used:
- Gathering lists of people to use as a contact source for another connected or disconnected campaign as part of a series of coordinated efforts.
- Direct extraction of funds via a target submitting their private information to a website that looks legitimate (fake bank, netflix account page, bill pay service, e.g.)
- Indirect extraction of funds by posing as a person needing help (boss, friend, family member), by requesting the target to purchase a gift card to be photographed and sent to the criminal actor
- Indirect extraction of funds by posing as a government agent (IRS, DHS, FBI e.g.), by requesting they provide their social security number and driver’s license, to be used by the criminal actor to create a credit card account, or to gain access to the target’s financial institution
The creativity of the criminal mind is unbound and this is the tip of the iceberg. My company develops software and provides professional services to prevent these behaviors from harming customers using three methods:
- Machine learning — classification and prediction of behaviors using pattern detection, risk ratings, and language understanding
- Policies — proactive rules of operation on the mobile carrier networks that blacklist specific elements of messages
- Human investigation — analysis of active and past criminal behavior in order to better train the machines, to optimize core policies, and to educate our community on how to spot fraud
COVID-19 is providing new opportunities for criminal activity to operate leveraging language to entire targets into giving up personal information. Our data science team performs ongoing analysis for our customers. As you read on, bear in mind the volume of messages that we protect on a daily basis measures in the hundreds of millions and sometimes into the billions on heavy volume days.
We see 1–2% of total “Application to Person” (also known as A2P) messaging traffic include direct references to “COVID-19” as well as other references to the pandemic such as “coronavirus”. Of these COVID-related messages, 2–5% have some fraudulent or malicious intention preying on people’s vulnerability in the current situation through social engineering.
COVID-related messages are fairly consistent across the past days and weeks of this pandemic. We note that fraudsters are typically more active during the weekend and end-of-month — likely converging on payday or when targets have more spare time to get hooked by a phishing campaign. Criminals learn from consumer behavior analysis in a similar fashion as legitimate brands who measure engagement with their audience (right time, right place, right content).
We see COVID-related fraudulent messages fall within three categories. These categories are similar to the COVID-19 themed phishing and malware attacks discussed by the Anti-phishing Work Group (APWG.org) in their recent study of workers, healthcare facilities, and the recently unemployed.
1. Pretending to be from a public institution offering financial support in aid of Identity Theft
In these campaigns, we see fake banking and government sites asking the target to submit their national ID or Social Security number with other contact information in order to send your “stimulus check” or some other tempting goal. Here’s an example of a one such campaign — note the use of letter replacements:
“Your government C0v1d st1mu1us cash is ready. P1ease v1s1t <url> to reg1ster.”
2. Pretending to be a bank requiring additional information in aid of Identity Theft
These campaigns are similar to those above. A bank is asking the target to go to a specific page and submit additional contact details or reply to the text with this information. Typically this message includes some urgency, like a government-sponsored COVID-19 measure requiring your bank to perform this action. Here’s an example of a one such campaign (redacted information in brackets):
“InfoAlert This is for <PHONE_NUMBER> Covid-19 pandemic is spreading, we have blocked your account for safety. Please sign here to resume: <url>”
3. Offers of personal loans due to Covid related financial pressures in aid of direct and indirect money theft
These campaigns include messages of low or no interest loans in light of Covid-19 measures. In some cases, criminals ask for your credit card information in order to deposit funds directly into your account when in fact the exact opposite will happen almost immediately. Here’s an example of a one such campaign:
“Hey <name>, feeling the covid crunch? You’re eligible to request up to $1000 , get started now -> <url>. Rply stop to stop”
The criminals that hooked your information may not be the same actors that will then exploit your information, rather, your information will be bundled with millions of other victims in a database to be sold to the highest bidder. It may take weeks or even months for your information to be exploited, so if you even suspect that you’ve been hooked by a phishing campaign, it is best to take action immediately and protect your accounts, place locks on your credit, and report the event to authorities in your country. For those of you in the United States, our FBI set up a portal for citizens to learn about spoofing and phishing as well as a means to report crimes.
What can you do to protect yourself?
Maintain a “defensive posture”. Remain skeptical. Spread the word to your friends, family and colleagues. The government would not ask you to pay fees and charges in advance in order to receive relief money. It is highly improbable that your account will be blocked due to a pandemic and if it were to be blocked, do you really think that information would be relayed to you via an informal text? Lastly, take a closer look at the url you are viewing — criminals are cleverly creating domains that look like government sites. They are now creating SSL certificates to make them appear even more legitimate.
Please let us know if you have, or have heard about, an issue sending or receiving a legitimate message during this and the next crises that affect our society. Protecting our vital messaging pipeline is our core business and we will continue to invent and evolve our defensive and offensive postures. Visit us at https://www.kontxt.com.
Join me for part 2, coming soon, where we delve into mobile message fraud from a legal perspective, including the CAN-SPAM act of 2003, current legislation under review, and how forensic techniques need to improve.